Troubleshooting saving credential options for two-factor authentication accounts

[eseb63]

i used Thunderbird for a long time in its 68 version to use with the keebird extension and a KeePass database.

Microsoft recently alerted that classic authentification modes (imap and pop) wouldn't be supported anymore so i test Thunderbird with KeePassXC-mail and KeePassNatMsg to manage oauth authentification.

my configuration :

• Windows 10 professional 22H2
• Thunderbird portable 115.12.2
• KeePassXC-mail 1.8
• KeePass Professional Edition portable 2.57
• KeePassNatMsg 2.0.17.0

first test without any option

I have several Microsoft accounts and another for Orange provider (i am french) : for each, i configured pop and imap accounts in Thunderbird.

I first tested without checking any option checkbox in KeePassXC-mail (i kept the keebird entries in the KeePass database) :

• it worked for the Microsoft accounts without dialog prompt
• it worked whith a dialog prompt for the Orange account, but after having check the "dont ask anymore" KeePassXC-mail didn't find a password anymore. I had to reinstall the extension and plugin

Where is stored this user choice and how to revert for a considered account ?

after that it worked again but with dialog prompt for all accounts.

I then tested the KeePassXC-mail options (my translation may be approximative) :

"auto submit" option :

• if unchecked, we have a prompt dialog like above to select the entry
• if checked, no prompt dialog anymore

"save new credentials" option (classic authentification) :

• it works fine for classic authentification : an entry is created in the KeePass database in a "KeePassXC-mail passwords" group. That entry is used during next access to the account.

"save new credentials" option (two-factor authentification) :

• i got trouble for oauth authentification with microsoft accounts : a dialog prompt the saving in KeePass, twice. each next access, we have a dialog prompt to create a new entry or update the existing one.

i investigated a bit about the oauth protocol and discovered that each access to the account begin with a token request to the oauth server (oauth://login.microsoftonline.com for microsoft) ;

this token is temporary and different at each request, so why saving it in the KeePass database ? it seems to be unuseful as it can't be reused ?

i examined the behavior with the Thunderbird console : a request to oauth://login.microsoftonline.com is made (at least twice, sometimes three), whether a relevant entry exists in the KeePass database or not.

the process is also quite invasive (and is repeated at least twice) :

• KeePassXC-mail dialog prompt to confirm to store the token

• KeePassNatMsg dialog prompt to allow access (several times)

• KeePass dialog prompt to allow the entry creation (or update)

"save new credentials without confirmation" option :

contrary to what the name of the option indicates, the information does not seem to be saved

so, the question remains : shouldn't the "save new credential (with or without confirmation)" option ignore accounts with two-factor authentication?

silent process settings

at this moment, my settings to have a silent process are : in KeePassXC-mail :

• check the "auto submit" option
• uncheck the "save new credential" options

in KeePassNatMsg :

• uncheck the "show a notification when credentials are requested"
• check "use legacy host matching option" (don't prompt when host matches title/url)

last questions :

• what is exactly the action of "clear storage of the selected entries" button ?

• i don't understant why the KeePassNatMsg key showed in KeePassXC-mail doesn't match the one showed in the KeePassNatMsg options in KeePass ? hexadecimal conversion ?

• why KeePassXC-mail ask for such permissions (total access to Thunderbird and the computer) ?

thanks in advance for the reply

[eseb63]

what are supposed to be these files? they are blocked by mediafire as dangerous ones

[kkapsner]

Where is stored this user choice and how to revert for a considered account ?

This choice is stored in the extension storage provided by Thunderbird. To reset that you have to click "Clear storage of selected entries":

this token is temporary and different at each request, so why saving it in the KeePass database ? it seems to be unuseful as it can't be reused ?

This token is used the next time to access the server and then renewed. So without saving it you would have to authenticate every time.

a request to oauth://login.microsoftonline.com is made (at least twice, sometimes three)

this to get and update the right token

so, the question remains : shouldn't the "save new credential (with or without confirmation)" option ignore accounts with two-factor authentication?

This would only leave you with the option to store the token in the Thunderbird password manager...

i don't understant why the KeePassNatMsg key showed in KeePassXC-mail doesn't match the one showed in the KeePassNatMsg options in KeePass ? hexadecimal conversion ?

I display the database hash which indentifies the database. I think in KeePassNatMsg you see the key of the connection (I do not have that available at the moment... but in KeePassXC it's that way). I will display the first few characters of the key in the next version...

why KeePassXC-mail ask for such permissions (total access to Thunderbird and the computer) ?

To be able to interact with the password management system of Thunderbird it needs to use a so called experiment. I already opened this ticket to not have the need to request so high privileges. But as long as this is not implemented there is no other way.